About expiresIn,how to prevent clients from tampering with system time?

auth0 / node-jsonwebtoken

JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html

MIT License

17.69k stars 1.23k forks source link

About expiresIn,how to prevent clients from tampering with system time? #700

Closed ddxl123 closed 4 years ago

ddxl123 commented 4 years ago

Is the expiration time based on the client system time or the server system time? If it is a client, how to prevent the client system time from being tampered with? If it is a server, how to prevent the server system time from being tampered with? And, what is the difference between expiresIn and notBefore?

panva commented 4 years ago

exp is the timestamp after which you don't accept a token anymore
nbf is the timestamp before which you don't accept a token yet

Timestamps are always evaluated by whomever is consuming the token. In general it is best practice to allow a reasonable clock skew when it comes to evalution, but JWT as a format does not deal with local time setting tampering. At some point there needs to be an authority that knows its local time setting is correct that also processes the JWT.

yacineMTB commented 4 years ago

Closing, feel free to reopen if you need any further clarifications